2.3 KiB
2.3 KiB
Credential Audit Pattern
Systematic verification of all credentials across a server's config files.
Step 1 — Discover credential locations
# Find .env files
find /root/docker -name ".env" -o -name ".env.example"
# Find password/cred files
find /root/.config -type f \( -name "*.pass" -o -name "*.token" -o -name "*.cred" \)
# Find embedded keys in config.yaml
grep -rn "api_key\|password\|secret\|token" /root/.hermes/config.yaml | grep -v "^#"
Step 2 — Categorize by type
| Type | Test Method |
|---|---|
| Cloudflare API key | GET /client/v4/user/tokens/verify → 200 |
| Firecrawl API key | POST /api/v1/search → 200 |
| LLM provider key | curl to /v1/models → 200 |
| IMAP password | imaplib.IMAP4_SSL.login() → OK |
| SMTP password | smtplib.SMTP.login() → OK |
| Database password | SELECT 1 via native client |
| Docker service password | psql -U user -c "SELECT 1" via docker exec |
| CalDAV password | PROPFIND to caldav host → 207 |
Step 3 — Test each credential
Each test should return a clear SUCCESS/FAILURE indicator. Batch independent tests into a single terminal call.
Step 4 — Report results
| Credential | Location | Status |
|---|---|---|
| FIRECRAWL_API_KEY | ~/.hermes/.env | ✅ HTTP 200 |
| admin-ai api_key | config.yaml | ✅ HTTP 200 |
| g@germainebrown.com (IMAP) | himalaya/*.pass | ✅ LOGIN OK |
Pitfalls
- Secrets redacted by the agent's redactor —
read_fileandgrepshow secrets assk-lbh...bWPA. Useod -corsed -n '8p' /root/.hermes/config.yaml | xxdto recover actual values. - iCloud app-specific passwords expire — Apple requires new app-specific passwords periodically. Generate at appleid.apple.com → App-Specific Passwords.
- CalDAV passwords are NOT the same as IMAP passwords — iCloud requires separate passwords for each service, and the CalDAV password file is different from the IMAP password file.
- Service environment vars may not be in .env — Some services pass secrets via docker-compose
environment:blocks or systemdEnvironment=lines. Check both docker-compose.yml and service unit files. - "
Bearer ***bug" — Shell scripts that hardcode***instead of$VARIABLE_NAMEin curlAuthorizationheaders. Always verify the variable is used, not literal asterisks.